Interesting way of protecting credit card data on untrusted hosts
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Sep 26 22:03:00 EDT 2009
A Canadian company called SmartSwipe has come up with an interesting way to
protect credit card numbers from most man-in-the-browser attacks. What they
do is install a Windows CSP (cryptographic service provider) that acts as a
proxy to an external mag-stripe reader with built-in crypto processing, so the
CSP on the host PC does nothing more than forward data to be encrypted out to
the external device. There's also a browser plug-in that pre-populates the
credit-card field in web forms with a cookie. When the page is sent to the
CSP for encryption for SSL, the software running on the reader recognises the
cookie in the web-form content, reads the card data via the mag-stripe reader,
inserts it into the web-form field, and returns the encrypted result to the
host PC to forward to the remote server. As a result, the CC data is never
present on the host PC.
The downsides are obvious: not secure against phishing (which is a killer),
only works with MSIE because of the requirement for use of a CSP (although you
could do it with Firefox as well by creating a PKCS #11 soft-token), and not
secure against page-rewrite trojans which have the web page show one thing and
do another, but it's an interesting concept. You can find a description of
the technology under the name Dynamic SSL(tm)(c)(p), a start point is:
http://www.smartswipe.ca/en/dynamic-ssl/600-dynamic-ssl-a-practical-solution-for-endpoint-to-endpoint-encryption
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list